Advisories

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

* Advisory ID: DRUPAL-SA-CONTRIB-2017-067
* Project: Entity reference (third-party module)
* Version: 7.x
* Date: 2017-August-16
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

The entity reference module provides a field type that can reference
arbitrary entities.

In a vulnerable configuration, an attacker could determine the titles of
nodes they do not have access to.

Drupal 8 Core - Multiple Vulnerabilities

The following alert is for general Drupal public. All the Drupal projects on Drupion platform are updated automatically unless opted out per instructions on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis.... Drupion users can ask questions under this post on https://www.drupion.com/blog/drupal-8-core-multiple-vulnerabilities

Views - Moderately Critical - Access Bypass

Drupion customers should pay special attention the contributed modules are not covered by Automatic Drupal Core updates announced on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis....

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Views
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

* Advisory ID: DRUPAL-SA-CONTRIB-2017-069
* Project: Views Refresh (third-party module)
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

When creating a view, you can optionally use Ajax to update the displayed
data via filter parameters. The views refresh module did not restrict
access to the Ajax endpoint to only views configured to use Ajax. This is
mitigated if you have access restrictions on the view.

Session Cache API - Critical - Multiple vulnerabilities

* Advisory ID: DRUPAL-SA-CONTRIB-2017-065
* Project: Session Cache API (third-party module)
* Version: 7.x, 8.x
* Date: 2017-August-09
* Security risk: 18/25 ( Critical)
* Vulnerability: Multiple vulnerabilities

DESCRIPTION

This module does not safely deal with serialization.

VERSIONS AFFECTED

* Session Cache API 7.x-1.4

Drupal core is not affected. If you do not use the contributed Session Cache API module, there is nothing you need to do.

SOLUTION

Facebook Like Button - Moderately Critical - XSS

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Facebook Like Button (third-party module)
* Version: 7.x
* Date: 2017-August-09
* Security risk: 13/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module provides a Facebook Like button on node pages and blocks.
The module does not sufficiently sanitize output when configured to use
custom css rules.

Better field descriptions - Critical - XSS

* Advisory ID: DRUPAL-SA-CONTRIB-2017-064
* Project: Better field descriptions (third-party module)
* Version: 7.x
* Date: 2017-Aug-09
* Security risk: 16/25 ( Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables you to add themeable descriptions to fields in forms.

The module doesn't sufficiently sanitize descriptions.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "add better descriptions to fields".

VERSIONS AFFECTED

Relation - Moderately Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2017-063
* Project: Relation (third-party module)
* Version: 7.x
* Date: 2017-August-09
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass

DESCRIPTION

This module enables you to store relationships between entities as fieldable
entities.

The module doesn't sufficiently check permissions when displaying related
entities labels with the Relation Dummy Field module widget.

Services Views - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-062
* Project: services_views (third-party module)
* Date: 2-Aug-2017

DESCRIPTION

This module provides views support for the Services module.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

VERSIONS AFFECTED

* All versions

Pages

Subscribe to Advisories